Federal Office for Securing the Constitution and Bitkom want more cyber security

Contents

The perception of the cyber security situation among companies in Germany has changed significantly. "Two thirds of companies feel that their existence is threatened by cyberattacks," said Bitkom President Ralf Wintergerst in Berlin this morning. 91% of the 1,000 or so German companies from all sectors surveyed stated that they had been affected or probably affected by theft, industrial espionage or sabotage in the past twelve months.

The Vice President of the Federal Office for the Protection of the Constitution (BfV), Sinan Selen, considers this to be an understatement: "Nine percent simply don't know – we have to assume that practically every company is affected by attacks." The aggressiveness and intensity of attacks are increasing significantly, said Selen.

The current damage to the German economy, said Bitkom President Wintergerst, citing calculations and surveys by Bitkom Research, amounted to 266.6 billion euros. However, this calculation also includes the indirect costs of the attacks, such as costs for public relations work and legal advice.

According to the survey, the largest single amount of damage was caused by the theft of or damage to information and production systems or operational processes: according to the companies, this accounted for 54.4 billion euros, followed by legal disputes at 53.1 billion euros and loss of sales at 39.2 billion euros. This means that business interruption losses are two-fifths higher than in the previous year, while the costs for legal disputes in connection with claims developed similarly.

State or non-state: differentiating between attacks is more difficult

The biggest threat from a business perspective is currently organized crime: 70% of the companies surveyed named it as an attacker, which is 9% more than in 2023 and 19% more than in 2022. There has been a significant increase in the attribution of attacks to foreign intelligence services: 20% believe they can identify them. BfV Vice President Selen emphasized that precise attribution is becoming increasingly difficult because the boundaries between state and non-state actors are becoming increasingly blurred. The Federal Office for the Protection of the Constitution has been pointing out for months that ostensibly private actors now often act as service providers for government agencies.

The professionalization of attackers is a major concern for the Office for the Protection of the Constitution. "Zero-day vulnerabilities play a central role," warned Selen, adding that the BfV is observing an industrialization of attackers. They would carry out comprehensive analyses of the attack surface: Not only the company itself, but also the supply chain and partners of companies in order to cause maximum damage. Attacks on IT service providers, servers and the communication infrastructure of companies are now commonplace. An efficient defense therefore requires a correspondingly comprehensive approach.

Positive development in supply chain law and co.

However, Bitkom President Wintergerst sees a positive development here: not least thanks to the politically controversial Supply Chain Act, many companies now know more about the service providers for their products. The separation of a group's SAP systems between German and Chinese locations, for example, does not actually make business sense, but is necessary as long as there are no alternatives. However, this restructuring along the supply chain is increasingly taking place.

However, the deeper you look into it, the more likely it is that some component will end up coming from China. BfV Vice President Sinan Selen emphasized that it is not about "putting up walls and stopping trade. It's simply about seeing not only the opportunities, but also the risks." And these are certainly present in China, for example.

According to the Bitkom survey, the countries of origin of the attacks observed by companies are the People's Republic of China with 45 percent, 39 percent are said to come from Russia, Eastern Europe excluding Russia and the EU came in at 32 percent and the USA at 25 percent. 36% could not be assigned by the companies – Selen pointed out, however, that the assignment is often anything but clear, as infrastructure in other countries is often used.

The provider's country of origin is now a decisive factor in the procurement of cyber security solutions, said Wintergerst: 71% would consider this to be a decisive selection criterion. He also sees this as an opportunity for Germany as a cyber security location. After all, the Bitkom President, who is also Managing Director of security service provider Giesecke+Devrient, draws the conclusion from the problems in the cyber security supply chain, such as in the Crowdstrike and Checkpoint cases, that more expertise is needed in Germany.

The solutions of large US companies, for example, are very powerful. However, if you only buy in technology, at some point you will no longer be able to assess it and you will become a "digital colony", said the Bitkom President. He was supported in this assessment by BfV Vice President Sinan Selen: National resilience in supply chains must be further strengthened. However, according to the survey published today, there is a greater willingness to invest in IT security: 17% of the IT budget is now being spent on this, according to the company survey.

BfV: Start-ups should not be naive

Selen warned start-ups in particular not to underestimate their attractiveness as an attack target. Especially as suppliers for certain sectors such as aerospace or battery technologies, where other countries are trying to catch up, they often underestimate the danger. Overall, however, a cultural change is necessary – also in the way published information is handled. For example, "overly precise tenders and job advertisements" are published. This would provide attackers with an analysis surface, which would then be automatically evaluated in order to find gateways. Customer data and data from research and development as well as corporate development are seen as particular targets.

It is positive that companies are now investing more in cyber security. With the exception of operators of critical infrastructures, the speed he would like to see in defensive reactions has not yet been reached, for example when vulnerability reports are distributed by the Federal Office for Information Security. Selen also called for a simple solution to provide companies with contact persons: "If there is a fire, call the fire department on 112," he explained his concern: "We have not yet achieved this level of simplicity."

(dahe)